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Amendments to the Claims 

Please cancel Claims 5 and 17 without prejudice. 
Please amend the Claims as follows: 

5 

1. (currently amended) A system for analyzing network traffic to use in performing 
network and security assessments by listening on a subject network, interpreting 
events, and taking action, comprising: 
a policy specification file; 
10 a network monitor processor for processing that processes network packet data 

collected from said subject network; and 

a policy monitoring component for r e c e iving: - an d-preeessmg that receives and 
processes said policy specification file[[,]] and that receives and processes r e c e iving 
and processing said processed network packet data to assign policy dispositions to 
15 network events contained in said network packet data , wherein said policy monitoring 
component further comprises a policy engine that: 

as each network packet arrives, compares said network packet data against 
said policy specification file and responsive to said comparison assigns associated 
policy dispositions and level of severity to said network events contained in said network 
20 packet data; 

interprets each protocol event; and 

consults said policy specification file as each protocol event is interpreted to 
ensure that an earliest determination of said disposition is reached . 

25 2. (currently amended) The system of Claim 1, said policy monitoring component 
further comprising: 

a parser for parsing said policy specification file; and 

a- po li cy e ng i n e for synth e sizing said pa r sed po li cy s p e cif i cation fi le and s aid 
proc e ssed n e twork pao ke t"dat a t and for p e rform i ng said ass i gn - dispo& i tiofto - ond leve l of 
30 severity to s a i d n e twork e v e nts contain e d i n s a jd- n e twork p a ck e t d a ta; a nd 

a logger for logging and storing into an events database said synthesized 
information by said policy engine according to a logging policy file. 

3. (original) The system of Claim 2, further comprising: 
35 a query mechanism for mining said stored data in said events database. 



7 
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4. (original) The system of Claim 2, further comprising: 

an alarm script component for generating alarms based on said level of severity 
of said network events. 

5 5, (canceled) 

6. (original) The system of Claim i, wherein said collected network packet data is 
captured in a file or is streams-based. 

1 0 7. (original) The system of Claim 1 , further comprising: 

a secure Web server comprising a Web server component and a report database 
for displaying reports online, said reports generated by said events database using a 
report script. 

1 5 8. (original) The system of Claim 1 , further comprising: 

a parser for generating an English description policy representation from said 
policy specification file. 

9. (original) The system of Claim 1, wherein said network monitor processor is 
20 used in standalone mode. 

10. (original) The system of Claim 1, wherein said network monitor processor and 
said policy monitoring component run on a same machine. 

25 11. (original) The system of Claim 1 , further comprising: 

a policy generator for generating said policy specification file. 



30 



12. (original) The system of Claim 1, wherein said received network packet data is 
encoded. 



13. (currently amended) A method for analyzing network traffic to use in 
performing network and security assessments by listening on a subject network, 
interpreting events, and taking action, said method comprising: 
providing a policy specification file; 
35 providing a network monitor processor for proc e ss i ng that processes network 

packet data collected from said subject network; and 
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providing a policy monitoring component for r e c ei v i ng and proc e ssing that 
receives and processes said policy specification file[[J] and that receives and processes 
receiving -« and proc e ssing said processed network packet data to assign policy 
dispositions to network events contained in said network packet data , wherein said 
5 policy monitoring component further comprises a policy engine that: 

as each network packet arrives, compares said network packet data against 
said policy specification file and responsive to said comparison assigns associated 
policy dispositions and level of severity to said network events contained in said network 
packet data: 

10 interprets each protocol event: and 

consults said policy specification file as each protocol event is interpreted to 
ensure that an earliest determination of said disposition is reached . 

14. (currently amended) The method of Claim 13, said provided policy monitoring 
15 component further comprising; 

providing a parser for parsing said policy specification file: and 
p roviding a - pol i cy e ngin e for synth e sizing said parcod policy s p e cif i cat i on f i l e and 
sa i d proc e ss e d n e twork - p a ck e t data, and for p e rforming sa i d assign d i spositions and 
l e v e l of oovor i ty to sa id n e twork e v e nts contained i n ca id n e twork pack e t data; and 
20 providing a logger for logging and storing into an events database said 

synthesized information by said policy engine according to a logging policy file. 

15. (original) The method of Claim 14, further comprising: 

providing a query mechanism for mining said stored data in said events 
25 database. 

16. (original) The method.of Claim 14, further comprising: 

providing an alarm script component for generating alarms based on said level of 
severity of said network events. 

30 

17. (canceled) 

18. (original) The method of Claim 13, wherein said collected network packet data is 
captured in a file or is streams-based. 

35 

19. (original) The method of Claim 13, further comprising: 

9 
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providing a secure Web server comprising a Web server component and a report 
database for. displaying reports online, said reports generated by said events database 
using a report script. 

5 20. (original) The method of Claim 13, further comprising: 

providing a parser for generating an English description policy representation 
from said policy specification file. 

21. (original) The method of Claim 13, wherein said network monitor processor is 
10 used in standalone mode. 

22. (original) The method of Claim 13, wherein said network monitor processor and 
said policy monitoring component run on a same machine. 

15 23. (original) The method of Claim 13, further comprising; 

providing a policy generator for generating said policy specfflcation file. 



20 



24. (original) The method of Claim 13, wherein said received network packet data is 
encoded. 



25. (currently amended) A method for iteratively developing network security 
policy for a network, comprising: 

creating an initial network security policy file; 

ensuring said initial network security policy file is uploaded to a machine on said 
25 network; 

running a network monitor on said network machine to collect said network 

traffic; 

said network monitor outputting said collected network traffic in an output file, 
and passing said output file to a policy monitor component of Claim 13 ; 
30 said policy monitor component analyzing said collected network traffic; 

storing said analyzed network traffic in a database; 

examining said analyzed network' traffic in said database by querying said 
database using a query tool; 

modifying said initial network security policy file as needed; and 



10 
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. repeating from said ensuring network security policy file is uploaded through said 
modifying said network security policy file until a comprehensive and desired policy file 
is attained. 

5 26. (original) The method of Claim 25, wherein said network machine is remote, and 
further comprising uploading said modified network security policy file to said remote 
network machine as needed. 

27. (original) The method of Claim 25, further comprising: 

10 monitoring .network traffic by using said attained comprehensive and desired 

policy file. 

28. (original) The method of Claim 27, wherein monitoring network traffic is on a 
continuous basis. 

15 * 

29. (original) The method of Claim 25, further comprising: 

generating reports from said database, and using said generated reports as input 
for further policy refinement and/or using said generated reports for continuously 
monitoring network traffic. 

20 

30. (original) The method of Claim 29, further comprising: 

encrypting said reports, and sending said encrypted reports to a remote secure 
Webserver. 

25 31 . (original) The method of Claim 30, further comprising: 

accessing said reports on said remote server in a user-friendly manner. 

32. (original) The method of Claim 25, wherein creating an initial network security 
policy file, and modifying said network security policy file as needed use a policy 

30 generator tool. 

33. (currently amended) A system for itera[[c]]tively developing network security 
policy for a network, said system comprising: 

means for creating an initial network security policy file; 
35 means for ensuring said initial network security policy file is uploaded to a 

machine on said network; 

n 
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means for running a network monitor on said machine to collect said network 

traffic; 

means for said network monitor outputting said collected network traffic in an 
output file, and passing said output file to a policy monitor component of Claim 1 ; 
5 means for said policy monitor component analyzing said collected network traffic; 

means for storing said analyzed network traffic in a database; 

means for examining said analyzed network traffic in said database by querying 
said database using a query tool; 

means for modifying said initial network security policy file as needed; and 
10 means for repeating from said means for ensuring network security policy file is 

uploaded through said means for modifying said network security policy file until a 
comprehensive and desired policy file is attained. 

34. (original) The system of Claim 33, wherein said network machine is remote, and 
15 further comprising means for uploading said modified network security policy file to said 

remote network machine as needed. 

35. (original) The system of Claim 33, further comprising: 

means for monitoring network traffic by using said attained comprehensive and 
20 desired policy file. 

36. (original) The system of Claim 35, wherein monitoring network traffic is on a 
continuous basis. 

25 37. (original) The system of Claim 33, further comprising: 

means for generating reports from said database, and using said generated 
reports as input for further policy refinement and/or using said generated reports for 
continuously monitoring network traffic. 

30 38. (original) The system of Claim 37, further comprising: 

means for encrypting said reports, and sending said encrypted reports to a 
remote secure Web server. 

39. (original) The system of Claim 38, further comprising: 
35 means for accessing said reports on said remote server in a user-friendly 

manner. 

' 12 
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40. (original) The system of Claim 33, wherein means for creating an initial network 
security policy file, and modifying said network security policy file as needed uses a 
policy generator tool. 
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